Fourth Circuit Decision in Marriott Data Breach Case Kicks the Can Down the Road | Electronic Frontier Foundation

Fourth Circuit Decision in Marriott Data Breach Case Kicks the Can Down the Road
BY CINDY COHNAUGUST 24, 2023

When a company that collected your personal data negligently fails to secure it, you should have accountability and relief—including standing to sue.

EFF and our friends at Electronic Privacy Information Center filed an amicus brief in late November pointing this out to the U.S. Court of Appeals for the Fourth Circuit in a case arising from the 130 million consumer records stolen from Marriott in 2018. We detailed the science and evidence demonstrating that people impacted by such data breaches run the risk of identity theft, ransomware attacks and increased spam, along with corresponding increased anxiety, depression and other psychological injuries.

The Fourth Circuit’s decision last week didn’t address our arguments; instead it just kicked the can down the road. The appeals court found that the trial court had not properly considered whether consumers had waived their rights to bring a class action by joining Marriott’s loyalty programs— those programs that advertise huge benefits to loyal customers but put the costs you pay (like decreased ability to sue) into the fine print that no one reads.

We strongly disagree with the suggestion that any Marriott customer meaningfully agreed to waive a class action here. Few if any customers read a hotel loyalty program’s fine-print terms and conditions, much less knowingly waive their right to bring a class action if the company negligently lets their data fall into the hands of thieves. We hope that on remand, the trial court will reject Marriott’s poorly-taken waiver argument, and we can get back to trying to ensure that consumers have real accountability when companies fail to protect the data they increasingly extract from us.

This decision highlights one of EFF’s criticisms of the proposed American Data Privacy and Protection Act last year. One of the reasons we did not support the bill was that it failed to override bogus waivers such as this. Privacy laws need to be strong and not full of holes that leave us without protection because of a single click or some tiny fine print that no one reads. We need a strong data privacy law that prohibits waivers and mandatory arbitration requirements letting companies sidestep users’ basic legal rights.

We’ll keep watching this important case and standing up for your rights both in the courts and in Congress.